Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 12:27
Static task
static1
Behavioral task
behavioral1
Sample
961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe
-
Size
435KB
-
MD5
961954bbc411d4eafd72efad94a6e160
-
SHA1
0a0e1830d6b2a169527fe61b9111b4171cc5a01f
-
SHA256
bcd74869fed12192e15d27254f6736621a82fbdcb555f7a258d0f2fa99eed36e
-
SHA512
c70698005bd0974ace29ad991b3dd3cae82809a088ba6b090e1b2786bf72f87e5a87493aadab7d0adf4e2929bf7d0edc903154a590f15439543f45af1ad22cdb
-
SSDEEP
12288:ji8ssa1TX35mrEe0zfGr7c1+GHjcSczuhE:ji8sjTZmrEesbMGDSzu2
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Deletes itself 1 IoCs
pid Process 4920 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 388 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 4920 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4920 rundll32.exe 4920 rundll32.exe 4920 rundll32.exe 4920 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4920 rundll32.exe Token: SeDebugPrivilege 4920 rundll32.exe Token: SeDebugPrivilege 4920 rundll32.exe Token: SeDebugPrivilege 4920 rundll32.exe Token: SeDebugPrivilege 4920 rundll32.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 388 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4920 5000 961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe 86 PID 5000 wrote to memory of 4920 5000 961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe 86 PID 4920 wrote to memory of 388 4920 rundll32.exe 14
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:388
-
C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\tmp88F7.tmp", Install C:\Users\Admin\AppData\Local\Temp\961954bbc411d4eafd72efad94a6e160_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
-
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240814-1228.dmp1⤵PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577KB
MD556ba53de2646c5260d6bbe7c2006d275
SHA10449eba1d5b0f8b5ef5737429c1b349ff19cfddb
SHA256e824123c7536555ec609aef31ddefc6ae084db686be7622ecf302390ad2eba5b
SHA5124fec07c24beef58d8569e5053c55f13ff8b93326310ae1bea714763919bdb3e1988d82d0554739c3c0f36b5b86b24279dfd6d046f00bcdbd5724410cbeed35c9
-
Filesize
59KB
MD5b1fb36e272f1ae7aacc6763500ee92a5
SHA10805ff1ee4618480db415fde38a24a046acdbab4
SHA2560685506aadd8601ec782d017db4313e04d24148c8d6b17eb243a14be072f0d75
SHA512d75e7feeb50d5e42a356e55ed83adda4a6ec0f50204db8429dd103daa8e16b37d7234674dd3b294336c44acbbf61c5bfba2043a0c865528c2b51639e87a5ecfa